Chapter Description

This chapter gives you an understanding of how Voice over IP (VoIP) is deployed in service provider (SP) networks by describing a use case in which the VoIP infrastructure and the transport and the access are managed by an SP.

From the Book

Voice Security in Service Provider Networks

This section discusses some of the security issues related to deploying IP-based telephony services in SP networks. It covers the security challenges seen at the network element and discusses what can be done to address them. Also, signaling and media encryption is discussed to address some of the security issues.

Securing VoIP Network Elements

To prevent DoS attacks and theft of service, the SP can implement security features on network elements that can minimize the chances of an outsider gaining access to valuable network resources and/or free service.

These security measures can include deploying stateful firewalls in the network that allow only authorized traffic to enter the SP network. Configuring access control lists (ACL) on the edge routers can help prevent unwanted traffic in the network. The endpoints that are connected to the edge of the SP network should be authenticated using the Authentication, Authorization, and Accounting (AAA) protocol. Unauthorized users should be denied access to network resources by either black-holing their traffic or assigning them a low bandwidth class of service that would not allow them to send or receive a significant amount of traffic. The key concept behind black-holing is to stop the propagation of this kind of traffic; on the other hand, a low class of traffic has residue in the network.

Securing Call Signaling and the Media

Because call signaling is used for setting up new calls, tearing down calls, and modifying the state of existing calls, it is important that these signaling messages are secured. In the case of a centralized switching model, such as PacketCable, this is accomplished by having a security association between the endpoint and a trusted network device. A security association is a set of provisioned security elements (for example, security keys) on both the endpoint and the trusted network device. By having a set of security associations, the trusted device can authenticate the endpoint when interacting with it. The interaction that takes place between the endpoint and the trusted device can be encrypted. IP Security (IPsec) is one of the mechanisms used to achieve this with the preprovisioned (preshared) keys. This ensures that all traffic between the two devices is from known sources and encrypted.

Similarly, to protect customer privacy, conversations must be kept private. To do this, the media streams generated by customer conversations must be encrypted. The endpoints in the conversation can negotiate a set of ciphersuites (type of authentication and encryption to be used) and then encrypt all their traffic using the negotiated method. Some of the ciphersuites negotiated by the endpoints can include Hash-based Message Authentication Code Message-Digest Algorithm 5 (HMAC-MD5) and Hash-based Message Authentication Code Secure Hash Algorithm (HMAC-SHA) authentication algorithms, and Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) encryption algorithms.